Google analytics, Guarantor of privacy: the transfer of data from Europe to the United States is illegitimate
Once again, il data transfer outside the European Union to the United States, by Google analytics, has been declared illegitimate by a personal data protection authority. This was established by the Italian Privacy Guarantor, following two similar decisions issued by its Austrian and French counterparts.
According to Ensuresthe service of Google analytics violates the provisions contained in the European General Data Protection Regulation (Gdpr), which explicitly prohibits the transfer of European user data to countries lacking adequate levels of protection, like the United States. The ruling came as a result of what has been defined by the authority as one “Complex investigation”launched on the basis of numerous complaints and in coordination with other European privacy authorities.
From the survey, it emerged that the managers of websites that use Google analytics collect, through cookies, various information that directly concern the users of the sites in question. Among the data collected are theIP address of devices, information about the search engine and system operational used, to resolution of the screen, to the lingua selected, as well as date and time of the visit.
All this information, once stored, comes transferred to the United States where users are not entitled to the protections on the use of their data guaranteed by the GDPR. This, despite the Regulation places an explicit prohibition on the transfer of data to countries that do not guarantee levels of protection equal to those in Europe. In declaring the violation of data processing, the Guarantor underlined how theIP address constitutes personal dataeven if truncated, taking into account Google’s ability to enrich it with other data it possesses.
Furthermore, in its statements, the authority recalled how the US government agencies and intelligence agencies can access all data moved to the United States, without any guarantee, underlining how a treatment of this type violates the right to privacy and confidentiality of European users.